About SAFLII
Databases
Search
Terms of Use
RSS Feeds
South Africa: South Gauteng High Court, Johannesburg
SAFLII
>>
Databases
>>
South Africa: South Gauteng High Court, Johannesburg
>>
2010
>>
[2010] ZAGPJHC 112
|
|
Nashua Mobile (Pty) Ltd v GC Pale CC t/a Invasive Plant Solutions (A3044/2010) [2010] ZAGPJHC 112; 2012 (1) SA 615 (GSJ) (18 November 2010)
Links to summary
IN THE SOUTH GAUTENG
HIGH COURT
(JOHANNESBURG)
REPORTABLE
CASE NUMBER: A3044/2010
DATE: 18/11/2010
In the matter between:
NASHUA
MOBILE (PTY) LTD
........................................
Appellant
/ Defendant a quo
and
GC PALE CC t/a Invasive
Plant Solutions
.........................
Respondent
/ Plaintiff a quo
_____________________________________________________________________
JUDGEMENT
_____________________________________________________________________
NGALWANA AJ
Introduction
[1] This is an appeal
against the order of the additional magistrate who presided in the
civil court for the district of Randburg.
The order was handed down
on 3 December 2009.
[2] In this judgment I
shall, for the sake of convenience, refer to the appellant as “the
defendant” and to the respondent
as “the plaintiff”.
[3] The plaintiff had
instituted a delictual action against the defendant
1
for losses suffered when unauthorised money transfers were effected
out of the plaintiff’s internet bank account by a person
(unknown to the plaintiff and unauthorised by it to do so) who
managed to obtain from the defendant a SIM card (through a process
known as “SIM swap”) containing the cell-phone number of
an employee of the plaintiff.
[4] The bank account
out of which these unauthorised transactions were effected was held
with Nedbank. The plaintiff was at all
material times the defendant’s
customer and had numerous cell-phone contracts with the defendant.
[5] The defendant, by
notice of motion and founding affidavit, also seeks condonation for
the late filing of the record and late
prosecution of this appeal.
The plaintiff filed opposing papers resisting the condonation
application, and in turn sought condonation
for the late filing of
its opposing papers. At the hearing of the appeal, counsel sensibly
agreed that indulgence be granted in
both instances and that no costs
be ordered in either.
[6] Other issues have
been raised concerning the admissibility of certain documents and
whether or not the defendant’s staff
who negligently acquiesced
in the unauthorised request for a SIM swap did so in the course and
scope of their employment. This
line was not pursued in argument and
so I say nothing further thereon. In any event, because of the view I
take of this matter
it is not necessary to decide those issues.
[7] This court knows of
no similar case that has previously been decided by our courts, and
counsel has pointed us to none, particularly
in relation to the
cell-phone industry.
The Facts
[8] The salient facts
are largely common cause. The defendant called no witnesses and
adduced no evidence in resisting the plaintiff’s
claim. The
version put up by the plaintiff’s three witnesses was not
challenged. Thus, on the uncontested evidence the following
facts
emerge.
[9] Early in January
2008
2
a man walked into a Nashua Mobile outlet in Musgrave, Durban, and
requested a SIM-card for a cell-phone number 082 804 9505.
It
was given to him. That cell-phone number belonged to a Hilda Barnard
(“Barnard”) who worked for the plaintiff in
George. She
had registered it with Nedbank, George, as the number through which
her internet banking transactions on the plaintiff’s
bank
account would be verified and notified. The man in question was
unknown to her and the plaintiff.
[10] On Thursday 10
January 2008 amounts in excess of R160 000 were fraudulently
transferred from the plaintiff’s Nedbank
account (through a
series of internet banking transactions) to beneficiaries unknown to
Barnard and the plaintiff. (I pause here
to point out that according
to a Nedbank employee who testified for the plaintiff (“Albertyn”),
a Nedbank accountholder
would require a reference number, sent by the
bank by SMS exclusively to the registered cell-phone number, in order
to complete
an internet banking transaction involving (a) the
addition of a new payment beneficiary, (b) amendment of details of an
existing
payment beneficiary, and (c) making a once-off payment to a
new beneficiary.)
[11] Since the
fraudulent internet banking transactions involved, on the face of it,
once-off payments to new beneficiaries, the
first of these SMS
reference numbers was sent by Nedbank to Barnard’s cell-phone
number at 18h43 on 10 January 2008 according
to a statement of facts
that was admitted into evidence by agreement between the parties. By
that time, Barnard was at home where
she did not have access to a
land line telephone. She noticed that she could not make calls on her
cell-phone but thought nothing
of it.
[12] At about 08h00 the
following morning (Friday 11 January 2008) she called the defendant
from her work telephone land line to
ascertain why she could not make
calls from her cell-phone. She was told by one Tyrone that a SIM swap
had been authorised on her
cell-phone number the previous day.
[13] When her boss
(“Kuyler”) asked her around 09h00 that morning to make an
internet payment out of the plaintiff’s
Nedbank account to a
new beneficiary, she was not able to access the account. Kuyler then
called the George Nedbank branch, was
invited to a meeting, and was
informed that the details he required to access the internet account
had been fraudulently altered
and that some R160 940 had been
transferred out of the plaintiff’s account. The bank managed to
recover or reverse R24 786.19
of the fraudulent transfers.
Kuyler reported the matter to the police.
[14] On Thursday 17
January 2008 Kuyler wrote a letter to Nedbank expressing a suspicion
that Nedbank employees may be involved
in the fraudulent transactions
and demanding full reimbursement as a matter of urgency. He also
advised that he would take action
against the defendant for
negligence.
[15] It is not clear
what became of the demand against Nedbank because a summons was
issued out of the Randburg Magistrates Court
only against the
defendant for R100 000, the balance of R36 153.81 having
been abandoned in order to bring the claim
within the jurisdiction of
that Court.
The Cause of Action
[16] In its particulars
of claim the plaintiff alleged that
[16.1] at all material
times it had various cell-phone contracts with the defendant that
were of full force and effect;
[16.2] one of those
contracts was used by an employee of the plaintiff called Hilda
Barnard;
3
[16.3] the defendant
owed it a duty of care not to effect unauthorised changes to the
operation of the cell-phone under that contract;
[16.4] it was within
the defendant’s power under that contract to prevent the
fraudulent replacement of a SIM card in relation
thereto;
[16.5] the defendant
knew or ought reasonably to have known that the plaintiff relied on
it to exercise reasonable care and skill
in the replacement of a SIM
card in relation to the contract;
[16.6] the defendant
failed to adhere to the duty of care that it owed to the plaintiff by
virtue of the contractual relationship
in that it failed to ensure
that the person obtaining the replacement SIM card was the rightful
possessor of all rights to the
cell-phone number to which that SIM
card relates. This was unlawful and negligent.
The Evidence
[17] As has already
been pointed out, the plaintiff adduced the evidence of three
witnesses (Albertyn, Kuyler and Barnard) and the
written statement of
one witness (Fairhurst) which was admitted by agreement.
[18] Albertyn, a
Nedbank employee who was head of internet and cell-phone banking,
testified that a “hypothetical fraudster”
would require
more than just the accountholder’s SIM card to access the
targeted Nedbank account through the internet. He
would also require
the accountholder’s profile number, PIN number and password.
[19] He also testified
that the SIM card, to which is allocated one cell-phone number, is a
vehicle through which the bank either
confirms or authenticates
internet banking transactions with the accountholder by SMS. This
occurs only in three instances: (a)
when a new payment beneficiary is
added to the account through the bank’s internet banking
website, (b) when the details
of an existing payment beneficiary are
amended, and (c) when a once-off internet payment is made to a new
beneficiary. But, as
I understand his evidence, before performing any
one of these transactions the “hypothetical fraudster”
would first
need to gain access to the accountholder’s bank
account through the Nedbank website. That access is gained by a
combination
of the accountholder’s profile number, PIN number
and password.
[20] This combination
can be obtained by the “hypothetical fraudster” through a
stratagem known as “phishing”.
Albertyn explains how it
works in these terms:
“
[F]raudsters
will … send out an e-mail to a base of clients and they
pretend to be the bank. So the e-mail would appear as
if it is from …
Nedbank, and it will say something to the effect that we need to
update our security systems or the system
indicates that your records
are out of date, and it usually has some sort of threat to say if you
do not do it by the end of the
day you are not going to have access
to your internet banking. … It appears to be an e-mail sent
from the bank and there
will usually be a link inside that e-mail and
the e-mail will say please click on this link to update your details.
The customer
who is not vigilant will click on that and will be taken
to a website that is not the bank’s. It will appear as if it is
the bank’s, but it will actually be the fraudster’s
website. They [the victims] will then proceed to enter their personal
information and that will fall into the hands of the fraudster, and
then in that way they have stolen your on-line identity.
…
MR KUJAWA
:
So in that way they could get hold of a customer’s profile
number, PIN number and password. - - That is correct.”
[21] Kuyler, the owner
and sole member of the business,
4
confirmed under cross examination that one would require all four
items in order to gain access to the plaintiff’s internet
Nedbank account and that a SIM card on its own would not afford that
access.
“
MR
KUJAWA
:
[W]ould you agree with me that for somebody to access your bank
account and remove money from your bank account they would need
…
your profile number, your PIN, your password and a SIM card. - -
Correct.
…
MR
KUJAWA
:
Okay. So in other words to withdraw money, all four of those elements
would be required, not just the one. If they just had your
SIM card
but they did not have the other details, they could not do nothing
with it [sic]. -- That is correct, they could not
yes.”
[22] Barnard, Kuyler’s
secretary who is the only other person who has access to the
plaintiff’s Nedbank account and,
according to Kuyler, “hanteer
al die banksake”, denied receiving an e-mail of the kind
described by Albertyn but could
not explain how the fraudster gained
access to the plaintiff’s Nedbank account and siphoned off over
R160 000 from it
through the Nedbank website.
Is Delictual
Liability Competent
?
[23] The case that was
advanced at the trial centred on delictual liability despite the
averment in the particulars of claim of
the existence of a contract.
5
[24] At the
commencement of counsel’s address in argument on appeal, they
were both asked to consider the effect, if any,
of the majority
judgment in
Lillicrap,
Wassenaar and Partners v Pilkington Brothers (SA) (Pty) Ltd
1985
(1) SA 475
(A) on the facts of this case.
[25] Counsel for the
defendant, unsurprisingly, leapt up and submitted that this case can
be disposed of on the strength of
Lillicrap
.
Plaintiff’s counsel on the other hand contended for a different
approach, arguing strongly that
Lillicrap
sits uncomfortably with the facts of this case. He preferred a later
judgment of the Supreme Court of Appeal in
Holtzhausen
v ABSA Bank Ltd
2008 (5) SA 630
(SCA) for the proposition that our law does
acknowledge a concurrence of actions where the same set of facts can
give rise to a
claim for both delictual and contractual damages, and
permits the plaintiff in such a case to choose which he wishes to
pursue.
[26] In my view, while
the proposition is correct that the same set of facts can conceivably
give rise simultaneously to a claim
for damages in delict and in
contract, I do not believe that this is such a case.
Lillicrap
decided that a claim in delict is not competent where the negligence
relied upon arises from a breach of a contractual term.
6
In that case the respondent did not contend that the appellant would
have been under a duty to exercise diligence if no contract
had been
concluded requiring it to perform professional services.
7
In other words, no right that existed independently of the contract
was infringed. In
Holtzhausen
,
on the other hand, the plaintiff's case was that the defendant had
infringed a right which he (the plaintiff) had independently
of the
contract.
8
[27] In this case, the
defendant would not have owed the plaintiff any duty of care if it
did not have a cell-phone contractual
relationship with the
plaintiff. In fact, that is precisely what the plaintiff pleaded in
its particulars of claim.
9
The manner in which the cause of action is couched demonstrates
clearly that the delictual claim derives from a failure to adhere
to
a duty of care that is owed by reason of a contractual relationship
between the parties that is of full force and effect.
10
In argument, counsel for the plaintiff was at pains to impress upon
us that the defendant should reasonably have foreseen the loss
occurring because the details of the person to whom it negligently
gave a SIM card did not match those contained in plaintiff’s
subscriber application form that formed part of the contract.
[28] It is thus clear
that the facts of this case fall more readily in the
Lillicrap
than in the
Holtzhausen
divide. Because the right that the plaintiff seeks to assert does not
arise independently of its contract with the defendant, the
option of
suing for damages in delict is not open to it.
[29] On that ground the
appeal should succeed and the magistrate’s order set aside and
substituted with an order dismissing
the claim.
[30] But even if I am
wrong in this regard, the plaintiff has in my view not succeeded in
establishing that the defendant was the
cause of its loss in any
event. This is the issue I now consider.
Has the Causal Link
Been Established
?
[31] The appeal was
argued on the basis that even if the defendant were negligent, the
plaintiff’s claim must fail. I thus
approach this aspect of the
case on the assumption (and nothing more) that negligence has been
established.
[32] If, as Albertyn
and Kuyler testified, no access can be gained to the plaintiff’s
account via the internet through SIM
card alone, then it seems to me
that the defendant’s negligent omission cannot reasonably be
said to be the proximate cause
of the plaintiff’s loss. In the
absence of any explanation as regards how the fraudster could have
obtained the plaintiff’s
or Barbara’s profile number, PIN
number and password, then the only logical answer would seem to me to
be that either Barnard
or Kuyler (the only people at plaintiff who
have access to the account) did receive the e-mail and clicked on the
link described
by Albertyn (but genuinely do not recall), or the
fraudster received a helping hand either inside the bank or inside
the plaintiff
from someone or people who had that information. The
only other explanation, postulated by Albertyn but promptly dismissed
by him
as being unlikely, is that the fraudster was “extremely
lucky” to be able to guess the profile number, PIN number and
password together.
[33] The fact that the
negligence of the defendant led to the issue of a false SIM card does
not explain how the fraudster obtained
knowledge of the other three
elements. No proof was supplied by the plaintiff that the defendant
was in any way involved in or
responsible for the fraudster obtaining
knowledge of the other three elements. Thus, even if the defendant
negligently issued the
SIM card without properly checking its data
with that of the fraudster, the question remains unanswered as
regards how he obtained
the correct knowledge of the other three
elements. The absence of this link is in my view the soft
underbelly in the plaintiff’s
case. To impute delictual
liability on the defendant when there are persons at large who helped
the fraudster complete the puzzle
with the other three elements that
are necessary to perpetrate the fraud would in my view be palpably
unfair or unreasonable. Contenders
may include the bank, as Kuyler
himself suspected at one stage, and we are not told what changed his
mind.
[34] As regards
foresee-ability of the loss by the defendant, counsel for the
plaintiff conceded (as he must) that the negligent
issue of a SIM
swap to a stranger would not always lead to a loss of the kind here
in issue. He maintained, however, that the defendant
must have
foreseen that the fraudster could obtain the other three elements in
one or other fashion (including phishing) and be
able to complete the
fraudulent transactions on the plaintiff’s internet bank
account using the SIM card. This in my view
demonstrates the
remoteness of the loss from the negligent omission by the defendant.
If the defendant’s negligence requires
another negligent or
fraudulent conduct by an unknown third party to trigger the loss,
then one cannot say that the initial negligence
caused the
plaintiff’s loss.
[35] But even if the
negligent supply of the SIM card to the fraudster can be said to have
contributed to the plaintiff’s
loss, negligent omission does
not give rise to delictual liability unless it is also wrongful.
11
Wrongfulness in these circumstances is established only where the
imposition of liability for the negligent omission in the
circumstances
of the case is reasonable.
12
Reasonableness in this context describes the imposition of liability
and not the negligent omission. In other words, the question
is not
whether or not the defendant, in light of the duty of care it owed to
the plaintiff, acted reasonably in authorising the
SIM swap to a
stranger; it is rather whether the imposition of liability on the
defendant in the circumstances of this case is
reasonable.
13
This is a public policy consideration.
[36] On the facts of
this, the loss to the plaintiff is simply too remote from the
negligent omission to impute a delictual liability
on the defendant.
Conclusion
[37] In the result, the
appeal must succeed in my view and I make the following order:
The appeal is upheld
with costs.
The order of the
magistrate is set aside and therefor is substituted the following
“
The plaintiff’s
claim is dismissed with costs as on exception.”
Dated on this the
day of November 2010 at Johannesburg.
__________________________
V Ngalwana
Acting Judge of the
High Court
I agree
____________________________
CJ CLAASSEN
JUDGE OF THE HIGH COURT
It is so ordered.
Appearances
For the
appellant: Adv RMW KUJAWA
Instructed
by: Simpson-Masenamela’s (Fourways)
For the
respondent: Adv H VAN TONDER
Instructed
by: Marinus van Jaarsveld Attorneys (Randburg)
Date of hearing: 15
November 2010
Date of
Judgment: 18 November 2010
1
A cellular phone service provider
2
The application letter is dated 4 January 2008
but the “SIM SWOP CONTROL SHEET” bearing the name and
signature of
the unknown person is dated 10 January 2008.
3
This was the contract that was compromised by
the defendant’s issue of the SIM swap
4
A close corporation
5
See par [16] above
6
See
Lillicrap
at 499A-501H
7
At 499A-B
8
Holtzhausen
at par [8]
9
See pars 4, 8 and 9 of the particulars of claim
10
See par [15] above
11
Shabalala v
Metrorail
2008 (3) SA 142
(SCA) at par
[7]
12
Trustees, Two
Oceans Aquarium Trust v Kantey and Templer (Pty) Ltd
2006 (3) SA 138
(SCA) par [11]
13
Ibid